[00:05.750 --> 00:10.610]  Hello, welcome to DEFCON 28 Demo Labs.
[00:10.610 --> 00:15.490]  Today I'm going to show you a tool called Circo, version 2.
[00:16.030 --> 00:20.270]  Hello, virtual friend. My name is Emilio.
[00:20.410 --> 00:25.770]  I'm from Argentina, I'm currently located in Japan,
[00:25.770 --> 00:33.190]  and I have a background of hacking, networks, firewall, packets, electronics,
[00:33.190 --> 00:36.350]  and a bit of 3D printing as well.
[00:36.350 --> 00:45.430]  I present tools in various conferences around Asia, US, Europe, a bit of here and there,
[00:45.430 --> 00:51.490]  and I'm actually 16 hours ahead DEFCON, so I'm in the future.
[00:51.850 --> 00:58.870]  As you can see, my English is very Argentinian, and I'm definitely not a native programmer.
[00:58.870 --> 01:01.530]  So, let's move on to Circo.
[01:05.420 --> 01:11.280]  All right, before I actually move on, let's talk about the legal disclaimer.
[01:11.780 --> 01:16.420]  This tool is provided for educational, research, or testing purposes.
[01:16.420 --> 01:21.740]  Using this tool against network systems without permission is illegal.
[01:22.100 --> 01:27.200]  Radio waves are per country regulated, so you must check your own country
[01:27.200 --> 01:32.540]  to see if that you're doing within compliant regulations, etc.
[01:33.260 --> 01:38.620]  I'm not responsible for any good or bad things you do with it, blah, blah, blah.
[01:38.620 --> 01:40.080]  Okay, great.
[01:40.220 --> 01:43.680]  Wait, what is Circo version 1 if this is version 2?
[01:44.080 --> 01:52.320]  All right, so Circo version 1 is actually based on Python 2.
[01:52.320 --> 01:57.020]  It was a network implant using cheap hardware like Raspberry Pi,
[01:57.020 --> 02:04.160]  and the idea is to exploit the zero trust that network automation tools have these days.
[02:04.260 --> 02:09.160]  The whole concept of the network automation tool is to auto-discover things,
[02:09.160 --> 02:10.980]  like Cisco switches, for example.
[02:11.000 --> 02:12.980]  So, what about if I am a Cisco switch?
[02:12.980 --> 02:16.920]  That means that they will try to connect to me to grab my configurations?
[02:17.220 --> 02:18.020]  Exactly.
[02:18.020 --> 02:24.160]  So, the whole concept of that was, okay, I build with cheap hardware in Cisco switch,
[02:24.160 --> 02:27.200]  behavior as a Cisco switch, as a honeypot, basically,
[02:27.200 --> 02:31.260]  and then I wait for automation tools to connect to me.
[02:31.320 --> 02:35.340]  So, once they connect to me and they give me the credentials, thank you very much,
[02:35.340 --> 02:40.160]  I will actually exfiltrate it to the Internet, to my own Internet server.
[02:40.420 --> 02:44.160]  For that, I come up with a few different techniques for exfiltration,
[02:44.820 --> 02:51.200]  and also some additions of encryptions and anti-forensics, etc.
[02:51.960 --> 02:57.020]  Over the past year, well, actually over 2019,
[02:57.020 --> 03:04.460]  most of the features and techniques used here were actually feedback
[03:04.460 --> 03:08.540]  from when I was presenting this tool in various conferences and friends
[03:08.540 --> 03:10.840]  and people suggesting things.
[03:10.840 --> 03:14.540]  So, it improved over the time.
[03:14.540 --> 03:19.580]  So, just to show you how it looks actually version 1.
[03:20.880 --> 03:22.720]  Let me turn off the camera.
[03:22.720 --> 03:29.620]  So, version 1 used to be like a network outlet that you have these things on top of your desk
[03:29.620 --> 03:32.480]  or under your desk where you put the network ports here,
[03:32.480 --> 03:35.400]  and inside was actually things like this, right?
[03:35.420 --> 03:39.700]  Raspberry Pi and some electronics, buttons, etc.
[03:41.960 --> 03:45.480]  Also, there's a bigger box of it, similar concept,
[03:45.480 --> 03:48.260]  the network ports here, right?
[03:48.380 --> 03:53.800]  And you actually, inside of this, let me see if I can open it like that,
[03:53.800 --> 03:59.060]  you will have a Raspberry Pi and electronics and PoE, etc, etc.
[04:00.200 --> 04:04.280]  So, that's pretty much what was done with version 1, right?
[04:07.490 --> 04:10.110]  Okay, great. Good to know.
[04:11.470 --> 04:14.850]  So, what's version 2 about it?
[04:14.850 --> 04:21.590]  Well, basically, Python 2 wasn't supposed to be allegedly end of life, blah, blah, blah,
[04:21.590 --> 04:23.290]  so it needed to be Python 3.
[04:23.390 --> 04:27.630]  So, I dedicated time and migrated everything to Python 3,
[04:27.630 --> 04:32.290]  which is not that simple as replacing Python with Python 3 on the top.
[04:32.290 --> 04:34.090]  Nope, doesn't work like that.
[04:34.090 --> 04:36.990]  So, most of the stuff was recoded.
[04:36.990 --> 04:40.390]  Probably 70-80% of the code was recoded.
[04:40.390 --> 04:43.210]  So, I took the opportunity and make it modular code.
[04:43.270 --> 04:51.530]  So, that will allow me to easily add all the features and exfiltration techniques using modular code, right?
[04:51.710 --> 04:56.150]  Also, I have a couple of features that people suggest over the past.
[04:56.150 --> 05:00.710]  For example, MAC IP addresses spoofing when you do exfiltration.
[05:00.710 --> 05:09.730]  Also, I've been suggested to actually, because I'm tapping, I'm man-in-the-middle between a phone and a network,
[05:09.730 --> 05:14.810]  I also record calls, like getting audio files. I do.
[05:14.930 --> 05:27.790]  I add support for a tool called netcreds, which actually captures unencrypted credentials or hashes of NTLM, HTTP, SMTP, IMAP, etc.
[05:27.790 --> 05:30.950]  Kerberos as well, right? FTP, etc.
[05:30.950 --> 05:33.570]  Yeah, various ones.
[05:33.770 --> 05:39.390]  I add as well, before I used to use either magnet or push buttons to detect if someone opened the alarm.
[05:39.390 --> 05:43.470]  And now I'm using LDR, which is a light sensor, basically.
[05:44.530 --> 05:50.310]  And I add an extra exfiltration method using FM.
[05:50.630 --> 05:56.330]  Because the phone itself will authenticate, I also collect in that zip authentication hash.
[05:56.330 --> 06:03.070]  And I add a new camouflage hardware, which will be something very familiar to you.
[06:04.850 --> 06:14.350]  If you recall, this is a power injector from Cisco, used for phones, also for APs as well.
[06:14.590 --> 06:18.570]  So I'm actually going to use this as a new camouflage hardware.
[06:18.570 --> 06:24.650]  Instead of using these boxes, network outlets, I'm going to use one of these.
[06:24.650 --> 06:25.650]  Why not?
[06:26.330 --> 06:31.510]  For that, I add also the TCP exfiltration.
[06:31.790 --> 06:37.030]  Before it used to be HTTP, HTTPS, now it's any TCP port you would like to use.
[06:37.030 --> 06:39.270]  80, 40, 25, whatever.
[06:39.830 --> 06:45.370]  Because I'm using a new method for exfiltration, FM, so you will probably need one of these.
[06:45.370 --> 06:48.930]  Which is actually an SDR dongle, right?
[06:48.930 --> 06:52.950]  To be able to capture those radio waves.
[06:52.950 --> 06:59.070]  And also improve a lot of the Cisco IOS and Honeypot.
[06:59.070 --> 07:08.750]  So the Telnet, when I recode it, I improve the Telnet, the SSH, the CDP and LLDP demos, right?
[07:09.390 --> 07:16.900]  OK, so let's go back to here, right?
[07:16.900 --> 07:21.200]  These are all the things that have been added in version 2.
[07:21.200 --> 07:24.900]  Which will go today, just to recap.
[07:25.160 --> 07:29.580]  We have what Honeypot will provide as a Cisco services.
[07:29.580 --> 07:35.760]  Remember, we are trying to emulate the Cisco switch, so we do provide CDP and LLDP advertisements.
[07:36.100 --> 07:40.080]  As a Cisco switch, or actually phone, if you want to run in single mode.
[07:40.080 --> 07:43.780]  We also provide an SNMP agent, so you can actually pull.
[07:43.780 --> 07:50.880]  That's the idea of the automation system, to pull the SNMP communities, SNMP MIPS from the Cisco switch.
[07:50.880 --> 07:59.720]  So we have one of those, we provide CLI via Telnet and SSH, with quite a few commands.
[07:59.840 --> 08:08.100]  And also a TCP stack, so when we get fingerprinting, we can actually reply saying that we are a Cisco switch indeed.
[08:09.100 --> 08:20.740]  For exfiltration, when we exfiltrate data, we actually send it, the Honeypot will send the credentials via Telnet or SSH or SNMP.
[08:20.740 --> 08:23.640]  So we have different various formats, right?
[08:23.640 --> 08:28.760]  The T for Telnet, the Telnet enable, the SSH, SSH enable, SNMP.
[08:28.760 --> 08:36.960]  And also because now we are sniffing credentials, that the actual phone could be cascaded to a PC behind it.
[08:36.960 --> 08:40.640]  So we are using netcreds, so that will be the end.
[08:40.640 --> 08:47.420]  And also the zip, which is the voice hashes that we actually capture.
[08:47.900 --> 08:53.800]  So I didn't want to make this longer, so now demo labs, demo time, right?
[08:56.220 --> 09:03.980]  Okay, so behind me, you will see I set up a lab, actually.
[09:03.980 --> 09:06.800]  I will explain you what the lab consists of.
[09:06.800 --> 09:16.860]  The lab actually has, on this side, this case you see here, this is actually the whole network infrastructure.
[09:17.120 --> 09:21.120]  I have the blue box on the top, it's actually my internet server.
[09:21.120 --> 09:26.680]  The yellow box is actually my network automation, so network administration server inside the network.
[09:26.680 --> 09:34.100]  The Cisco switch, real one, called TK, it's called SH-TKY01.
[09:34.100 --> 09:43.800]  I also have a black box, which is my file, my proxy, DNS, DHCP, pack file, server, etc.
[09:44.400 --> 09:51.640]  On this side, I have connected an IP phone, cascaded to a PC, right?
[09:51.640 --> 09:56.640]  And in the middle, you will see this box, right?
[09:56.640 --> 10:01.940]  This, which contains one cable going to the phone, the white cable, right?
[10:01.940 --> 10:05.660]  And the other cable going to the infrastructure, right?
[10:05.860 --> 10:12.560]  And of course, power, because this is using a magic power cable, right?
[10:13.140 --> 10:15.320]  Are we good? Yes, okay.
[10:15.480 --> 10:20.000]  So, let's move on.
[10:22.820 --> 10:28.660]  Okay, on the right side, I got access to my yellow box, which is my network automation.
[10:28.660 --> 10:35.460]  On the bottom, I have access to my blue box, which is my internet server, which will be receiving, called CARPA, right?
[10:35.460 --> 10:38.120]  Will be receiving the credentials from the internet.
[10:38.120 --> 10:44.240]  And on the top, I have access to the circo, which is actually out of band.
[10:44.240 --> 10:47.540]  So, first of all, let's start CARPA.
[10:55.760 --> 11:02.540]  And before I start circo, I want to connect to the real switch.
[11:03.220 --> 11:05.980]  This is the real circo switch on my infrastructure.
[11:06.460 --> 11:09.640]  Switch Tokyo 01, show CDP neighbors.
[11:09.640 --> 11:13.800]  Okay, I have a CDP, which is the phone, actually, that you saw on the back.
[11:15.360 --> 11:16.640]  LDP.
[11:17.740 --> 11:20.880]  Nothing, because that phone only speaks CDP.
[11:21.040 --> 11:30.120]  Right, so, I'm going to start circo on the reverse mode, bridge mode, and actually, maybe, ping, right?
[11:30.860 --> 11:32.540]  That's an exfiltration.
[11:35.020 --> 11:37.860]  So, I will explain you before.
[11:38.680 --> 11:47.260]  Before this happened, what I do is actually collect CDP details and LDP from the actual PR switch, just to get the names.
[11:47.260 --> 11:52.240]  I'm going to derivate the name, so if... similar name to what already exists.
[11:52.580 --> 11:59.120]  Okay, I change my MAC address, get an IP address from the server.
[12:02.280 --> 12:17.080]  I start a few as a sniffer, create a template, and bring all the honeypots, which is all of this, CDP, LDP, IOS, Telnet, SSH, SNMP, and also the name of OS Fuller to the TCP fingerprint.
[12:17.660 --> 12:19.720]  Service is actually fingerprinted, right?
[12:19.720 --> 12:21.780]  An exfiltration, I select ping, right?
[12:21.780 --> 12:28.100]  Okay, so now if I do show CDP neighbor from the real switch, I can see there is another switch here.
[12:28.100 --> 12:31.740]  Okay, so CDP neighbor details.
[12:31.780 --> 12:42.340]  I can see the switch is called SWTKY03, has a 10.10.10.152, and is 2960 ATC.
[12:42.500 --> 12:44.540]  So, what about LLDP?
[12:45.500 --> 12:47.140]  DP neighbors.
[12:47.140 --> 12:52.100]  Okay, LLDP as well, I can see the same switch connected via CDP and LLDP.
[12:52.100 --> 13:04.840]  If I do the details, I can see the chassis, which match the MAC address I'm setting up, the interface, the name, the software version running, and the capabilities from the switch itself.
[13:04.840 --> 13:06.940]  And the VLAN ID also, right?
[13:06.940 --> 13:10.060]  Standard LLDP information you get.
[13:11.660 --> 13:14.370]  Alright, so I'm in my automation tool.
[13:14.680 --> 13:19.320]  Let's see if I can ping that 152, 10.10.10.152.
[13:19.380 --> 13:21.040]  Yes, I can ping it.
[13:22.240 --> 13:29.600]  Alright, so let's try 10.10.10.152.
[13:30.420 --> 13:32.420]  Okay, I connect.
[13:32.500 --> 13:34.080]  So let me type.
[13:36.320 --> 13:38.600]  Username and a password.
[13:38.600 --> 13:40.820]  Okay, I got access to the Cisco switch.
[13:40.820 --> 13:43.000]  Show version.
[13:43.600 --> 13:46.000]  Give me a version of the Cisco switch.
[13:46.000 --> 13:50.820]  If you see on the circuit itself, it starts to say, sending credentials via ping.
[13:50.820 --> 13:52.580]  That means that he got credentials.
[13:52.580 --> 13:56.440]  So those credentials will appear on the bottom screen on Carpa, right?
[13:56.440 --> 13:58.140]  Because they're coming via ping.
[13:58.140 --> 14:02.100]  Carpa is on the internet, and Cisco is on the internal network, right?
[14:04.460 --> 14:05.900]  Show inventory.
[14:06.760 --> 14:08.600]  Show IP route.
[14:08.780 --> 14:10.460]  Show interface description.
[14:10.460 --> 14:11.540]  Behave like a Cisco.
[14:11.540 --> 14:14.340]  Show IP app.
[14:14.340 --> 14:16.220]  Show MAC address.
[14:16.240 --> 14:18.680]  Show status.
[14:20.580 --> 14:21.380]  Alright?
[14:21.380 --> 14:27.360]  As you can see on the bottom of the screen, you see that credentials coming from protocolternet.
[14:27.360 --> 14:30.320]  Username hola, password descon.
[14:30.740 --> 14:31.600]  You see?
[14:31.660 --> 14:33.420]  What about if I do enable now?
[14:34.160 --> 14:36.060]  I can enable as well.
[14:36.060 --> 14:41.460]  I can do some commands, like show run.
[14:43.880 --> 14:46.000]  And give me a configuration.
[14:46.060 --> 14:47.640]  But I cannot do some commands.
[14:47.980 --> 14:53.380]  I'm not authorizing, because I didn't code the whole iOS honeypot.
[14:53.380 --> 14:56.500]  Just enough for automation tool to find out.
[14:57.480 --> 15:00.220]  Similar should work by SSH.
[15:00.800 --> 15:02.300]  You can see in Carpa.
[15:02.300 --> 15:06.200]  Now Carpa received a credential via Ternet.
[15:06.340 --> 15:08.660]  And the credential was secret.
[15:09.220 --> 15:10.720]  Elite mode, right?
[15:11.880 --> 15:15.840]  So I can also, I should be able to SSH as well.
[15:21.480 --> 15:24.160]  Yep, I got this via SSH.
[15:24.160 --> 15:25.240]  Same thing.
[15:25.240 --> 15:28.000]  Same commands via SSH and Ternet are provided.
[15:28.540 --> 15:29.280]  Right?
[15:29.600 --> 15:30.800]  Inventory.
[15:31.360 --> 15:33.500]  Also I can put enable.
[15:36.760 --> 15:39.320]  Again, I get the same commands, right?
[15:43.410 --> 15:45.370]  So what else we can do?
[15:45.370 --> 15:48.070]  Well, we can do an SNMP walk, right?
[15:49.770 --> 15:51.830]  Version 2, community.
[15:51.830 --> 15:53.330]  Here's a trick, right?
[15:53.370 --> 15:58.690]  Automation tool will try first their own community, the internal community they use in all devices.
[15:58.690 --> 16:02.950]  If that fails, they will switch to public, right?
[16:02.950 --> 16:08.700]  So let's try community.
[16:09.100 --> 16:13.140]  10.10.10.152, right?
[16:13.600 --> 16:16.380]  I should escape that.
[16:17.460 --> 16:19.060]  Wrong key.
[16:22.840 --> 16:30.220]  So what happened here, you can see on the Carpa in the meantime, that credentials start to arrive.
[16:30.640 --> 16:34.780]  My pass, SSH, user admin, my pass, right?
[16:34.780 --> 16:40.940]  When I do an SNMP walk for this community, I don't get any answer.
[16:41.140 --> 16:43.260]  However, I did capture it.
[16:44.160 --> 16:49.420]  So automation tools will try public if they will fail back to public, right?
[16:49.420 --> 16:51.620]  And if I do that, let me cut it.
[16:52.760 --> 17:00.220]  When I do public, it actually replies as a Cisco switch with the name SWTKY03, right?
[17:00.220 --> 17:02.320]  So it behaves as a Cisco switch.
[17:03.940 --> 17:07.000]  Okay, what else we can try?
[17:07.140 --> 17:15.960]  Oh, by the way, let me show you all those credentials that Carpa is storing in a text file.
[17:16.020 --> 17:18.380]  There you go, the enable password.
[17:18.980 --> 17:24.100]  All those credentials are being stored in a text file, of course, but they're also being pushed to Faraday.
[17:25.280 --> 17:32.980]  So if I log to my Faraday dashboard,
[17:32.980 --> 17:40.820]  if I go to manage, hosts, it will create automatically a host and you also add credentials to it.
[17:40.820 --> 17:45.380]  So you see that host, it has a telnet, the username and the password.
[17:45.840 --> 17:48.220]  The E stands for enable, of course, right?
[17:49.240 --> 17:53.600]  So those are being pushed automatically from Carpa into Faraday, right?
[17:55.480 --> 17:56.520]  Oops.
[17:58.280 --> 17:59.240]  All right.
[18:00.080 --> 18:02.760]  The SNMP did not arrive yet.
[18:03.980 --> 18:05.880]  It should arrive soon.
[18:06.320 --> 18:11.100]  I think I'm cycling the credentials every 60 seconds, 30 seconds, I can't remember.
[18:11.200 --> 18:14.160]  So what about now? Let's try nmap.
[18:16.740 --> 18:19.920]  sv for 10.10.152.
[18:20.220 --> 18:23.340]  And this is funny, you will see some...
[18:23.340 --> 18:32.840]  When I run npm for service enumeration, you may see paramicos and errors here, but there's nothing wrong with it.
[18:32.840 --> 18:38.880]  It's just because this debug mode is showing that, but nothing crashed on Cisco, still running.
[18:40.180 --> 18:50.840]  So once I do the nmap, let's see what nmap say I have running on that 10.10.10.152, which is my fake Cisco switch, right?
[18:52.720 --> 19:02.020]  Okay, so it has recognized I have an SSH and a telnet, which is a Cisco daemons, and also they connect the device as a Cisco IOS router.
[19:02.400 --> 19:12.560]  Not bad. Here you go. I got the community as well here, the SNMP community, and that should be also pushed here.
[19:12.560 --> 19:14.220]  Let me refresh this.
[19:15.080 --> 19:17.640]  No, not pushed yet.
[19:17.640 --> 19:21.480]  It should be coming up.
[19:25.730 --> 19:28.010]  Maybe I need to refresh that.
[19:31.650 --> 19:36.570]  Or maybe I'm excluding, actually, SNMP. Yeah, most likely.
[19:36.890 --> 19:40.870]  I need to add it. Alright, no big deal.
[19:42.470 --> 19:44.350]  Okay, what else?
[19:45.770 --> 19:48.330]  Let's stop this for a second.
[19:48.830 --> 19:53.010]  So those are pretty much all the features that we've been running in the past.
[19:53.010 --> 19:57.330]  So now I'm going to show you the new features we've been working on.
[19:58.030 --> 20:04.910]  First of all, let's bring up Circo with DNS.
[20:08.050 --> 20:12.290]  And I'm going to connect to my PC on the back.
[20:13.190 --> 20:15.530]  I'm going to connect remotely.
[20:17.790 --> 20:21.010]  And I'm going to...
[20:21.010 --> 20:28.110]  So I'm going to generate, this is a PC running on the back, and I'm going to generate some FTP and Kerberos traffic.
[20:28.470 --> 20:32.330]  I'm going to replay some traffic, some pickups, basically.
[20:32.790 --> 20:38.990]  So when I start Cisco, I'm thinking this is minus D, DNS, right? If iteration DNS, for example.
[20:39.290 --> 20:43.870]  And here, it's a starting net cred sniffer, right?
[20:44.230 --> 20:50.210]  So the PC now is using FTP and Kerberos, etc. from the PC, right?
[20:50.210 --> 20:55.710]  So because I'm sniffing the traffic that comes from the PC, I'm also going to exfiltrate that traffic too.
[20:56.950 --> 21:00.810]  That's just running until all the packets run, right?
[21:02.730 --> 21:08.110]  So it clearly finds some credentials, and it gets exfiltrated by DNS.
[21:08.610 --> 21:19.050]  There you go. The end for net creds, username and a password, and the actual FTP and port destination that those credentials work.
[21:19.050 --> 21:25.870]  That's important because here is the source port of the automation tool or whoever connected it, right?
[21:25.870 --> 21:29.830]  But in net creds, I care about the destination.
[21:32.790 --> 21:34.990]  What else I have to show you?
[21:35.850 --> 21:37.830]  I actually should have some...
[21:39.470 --> 21:43.630]  Let's move on into something else, right?
[21:43.630 --> 21:46.010]  Let me cut this. You get the sense.
[21:47.910 --> 21:49.370]  Stop this.
[21:50.750 --> 21:51.550]  Okay.
[21:51.890 --> 21:56.490]  So I'm going to show you the spoofing feature, right?
[21:59.690 --> 22:04.590]  TCP 25 for exfiltration and minus minus spoof, right?
[22:05.550 --> 22:08.490]  For that, I'm going to connect into...
[22:09.270 --> 22:10.950]  I need to specify...
[22:11.550 --> 22:19.190]  I'm going to connect into the gateway, which is a black box on the lab, which is my firewall, right?
[22:19.190 --> 22:22.370]  So I'm filtering for port 25, right?
[22:22.370 --> 22:26.990]  So originally my MAC address is this one, right?
[22:26.990 --> 22:30.470]  And my IP was 152, 10.10.152.
[22:30.470 --> 22:34.630]  But because I specify minus minus spoof, right?
[22:35.050 --> 22:38.590]  I'm actually starting the spoof discovery.
[22:38.590 --> 22:47.030]  What it does is look in the other interface for packets and MAC address combination and use those when I do exfiltration, right?
[22:48.930 --> 22:50.130]  Okay.
[22:55.060 --> 23:01.200]  So for that, I probably... let's see if I can finish one.
[23:02.280 --> 23:07.160]  Okay, I found a MAC address, which is 100 and this MAC address.
[23:07.580 --> 23:10.040]  So I'm 25. So what I'm going to do is...
[23:10.620 --> 23:15.660]  I can ping this, so I'm going to connect again just to generate some credentials.
[23:21.190 --> 23:22.550]  All right.
[23:22.550 --> 23:26.470]  So that should trigger some credentials.
[23:26.470 --> 23:30.680]  And if I check the actual packet captures...
[23:33.530 --> 23:36.630]  Did I hit enter here? No.
[23:38.810 --> 23:41.930]  So I'm capturing packets. There you go.
[23:41.930 --> 23:43.800]  I start to see packets coming in.
[23:44.170 --> 23:48.350]  And as you can see, the source IP is 100.
[23:48.350 --> 23:51.590]  And the actual MAC address is matching.
[23:51.590 --> 23:55.450]  This is actually the PC, the PC behind me, probably.
[23:58.340 --> 23:59.480]  Okay.
[23:59.780 --> 24:03.220]  Something went wrong here.
[24:03.240 --> 24:06.120]  Probably some characters.
[24:06.320 --> 24:08.340]  Let me run it again.
[24:09.320 --> 24:10.540]  Okay.
[24:10.580 --> 24:12.960]  So that is done there.
[24:12.960 --> 24:15.100]  So now I'm going to do is...
[24:15.960 --> 24:19.520]  I'm going to show you the void features, right?
[24:20.460 --> 24:21.500]  Yes.
[24:21.620 --> 24:22.900]  Cancel, cancel.
[24:23.420 --> 24:24.320]  All right.
[24:24.320 --> 24:29.580]  For that, we use DNS and voice.
[24:29.980 --> 24:32.140]  Voip? Voip. I think it's Voip.
[24:32.140 --> 24:32.900]  Yes.
[24:35.500 --> 24:38.600]  For this, I will need the...
[24:38.600 --> 24:40.360]  I will need to make a phone call, actually.
[24:41.420 --> 24:42.180]  Right.
[24:43.280 --> 24:46.220]  Is this phone actually logging?
[24:51.600 --> 24:53.040]  Yep, it is actually.
[24:53.720 --> 24:56.040]  So what I'm going to do...
[25:05.650 --> 25:07.110]  Start Carpa.
[25:07.190 --> 25:08.910]  Exfiltration is DNS.
[25:09.050 --> 25:11.370]  And zip hash collector, right?
[25:11.370 --> 25:13.610]  And RTP captures, okay?
[25:13.610 --> 25:15.370]  So I'm going to make a phone call.
[25:29.610 --> 25:30.890]  Hello?
[25:30.910 --> 25:32.230]  Pick it up.
[25:33.050 --> 25:34.010]  Hello?
[25:38.430 --> 25:39.930]  All right.
[25:40.150 --> 25:41.490]  I make a call.
[25:41.510 --> 25:42.310]  Great.
[25:42.310 --> 25:45.630]  As you can see now, it says sending credentials via DNS.
[25:45.630 --> 25:48.810]  This is because that phone probably sent a zip request.
[25:48.910 --> 25:51.570]  So that means that it's going to get a zip hash, right?
[25:53.190 --> 25:53.670]  So...
[25:56.390 --> 25:57.310]  Here you go.
[25:57.310 --> 25:57.690]  Yeah.
[25:57.690 --> 25:58.950]  Zip credentials, right?
[25:59.410 --> 26:01.750]  So those should be arriving in Carpa.
[26:01.750 --> 26:03.950]  And they should have the format with a V.
[26:03.950 --> 26:04.950]  There you go.
[26:05.290 --> 26:07.670]  This is a zip hash, actually, right?
[26:07.670 --> 26:09.750]  These two pieces.
[26:09.750 --> 26:15.470]  And this is actually the registered zip, the username, and the type of phone system.
[26:17.070 --> 26:17.670]  So...
[26:18.990 --> 26:26.950]  Because we actually keep the captures of the RTP stream and the zip for control,
[26:26.950 --> 26:29.270]  so what we can do...
[26:29.270 --> 26:32.330]  We cannot actually trade these because they are big files,
[26:32.330 --> 26:36.430]  but what we can do is once we pick up Cisco after the assessment,
[26:36.430 --> 26:38.670]  we can actually grab the pickups.
[26:38.670 --> 26:39.930]  And...
[26:41.490 --> 26:42.850]  Pickup to WAP.
[26:42.850 --> 26:44.690]  Pickup to WAP.
[26:44.990 --> 26:47.890]  I'm going to use the RTP stream.
[26:50.010 --> 26:51.670]  And I'm going to use...
[26:52.550 --> 26:53.990]  I can't remember the...
[26:55.190 --> 26:56.130]  Pickup to WAP.
[26:56.130 --> 26:57.210]  Pickup to WAP.
[26:57.210 --> 26:58.050]  What was it?
[26:58.050 --> 26:59.570]  P. Okay.
[27:01.230 --> 27:02.230]  RTP.
[27:02.230 --> 27:03.070]  RTP.
[27:03.070 --> 27:03.970]  RTP.
[27:03.970 --> 27:04.710]  P.
[27:04.950 --> 27:05.630]  And...
[27:05.630 --> 27:06.490]  Mix.
[27:11.200 --> 27:12.140]  Okay.
[27:12.140 --> 27:14.700]  So this will generate the WAP file.
[27:17.400 --> 27:21.840]  I should be able to play it back.
[27:22.320 --> 27:25.640]  Of course I need to extract it, right?
[27:27.260 --> 27:27.620]  So...
[27:27.980 --> 27:31.920]  Let's copy this to my actually...
[27:31.920 --> 27:34.760]  10.10.117...
[27:39.150 --> 27:40.590]  Username as well.
[27:47.140 --> 27:48.420]  It's not.
[27:49.520 --> 27:51.560]  20.10. There you go.
[27:57.360 --> 27:58.220]  Okay.
[27:58.980 --> 28:00.260]  There you go.
[28:00.460 --> 28:04.340]  So if I do play of that file...
[28:06.660 --> 28:07.680]  Hello? Hello?
[28:09.320 --> 28:11.440]  As you can see, there you go.
[28:11.520 --> 28:12.980]  You get your WAP file.
[28:13.440 --> 28:14.380]  Great!
[28:16.160 --> 28:16.640]  So...
[28:17.140 --> 28:19.500]  I got one more feature to show you,
[28:19.500 --> 28:20.200]  which is...
[28:20.200 --> 28:24.000]  Let's bring up Circo, this time with FM and wireless...
[28:25.200 --> 28:26.400]  Exfiltration.
[28:26.820 --> 28:28.900]  But for here...
[28:28.900 --> 28:30.500]  I need to show you...
[28:32.020 --> 28:32.740]  Howla.
[28:33.160 --> 28:34.740]  Howla is actually my...
[28:36.760 --> 28:38.700]  Different computer.
[28:38.700 --> 28:41.840]  Different laptop running a wireless and the SDR dongle.
[28:42.040 --> 28:44.600]  So here I will run this...
[28:44.600 --> 28:45.240]  Verbose.
[28:45.240 --> 28:47.040]  I will specify the frequency.
[28:47.040 --> 28:49.980]  10.7. The wireless interface.
[28:50.300 --> 28:52.140]  And a log file.
[28:56.010 --> 28:57.130]  Alright?
[28:57.610 --> 29:01.850]  So, before I run that, I want you to understand that I'm going to be...
[29:03.070 --> 29:05.750]  Using FM, so I bring up a...
[29:06.950 --> 29:09.210]  Screen so you can see it.
[29:09.490 --> 29:10.990]  Let me bring this up.
[29:10.990 --> 29:14.130]  Channel 10 for wireless and frequency for FM.
[29:15.090 --> 29:17.030]  This is the decoder.
[29:18.470 --> 29:20.390]  And for RDS.
[29:20.390 --> 29:22.770]  Let me do that.
[29:22.950 --> 29:24.170]  Ok.
[29:28.280 --> 29:29.680]  Maybe there.
[29:29.680 --> 29:30.820]  Right.
[29:31.360 --> 29:35.020]  So, now I'm going to...
[29:36.060 --> 29:38.800]  Go back to my screen.
[29:38.860 --> 29:42.220]  And actually start Circo.
[29:51.680 --> 29:57.120]  I'm starting with the wireless and the FM modules on.
[30:05.080 --> 30:08.260]  Let me see if I can do something else here.
[30:19.120 --> 30:20.060]  Alright.
[30:20.060 --> 30:21.320]  This is started.
[30:21.320 --> 30:23.540]  So I'm going to telnet again.
[30:23.940 --> 30:26.700]  And I'm going to put some credentials.
[30:32.560 --> 30:33.840]  Alright.
[30:34.940 --> 30:35.580]  So...
[30:36.160 --> 30:37.500]  Starting exfiltration.
[30:37.500 --> 30:40.460]  So I'm going to switch to my Jaula.
[30:42.160 --> 30:44.140]  You see the silence now?
[30:45.040 --> 30:48.780]  You can see that there is a new station called Circo.
[30:48.780 --> 30:51.820]  With different program types and different PI.
[30:51.820 --> 30:55.480]  This is the RDS type of the FM protocol.
[30:55.480 --> 30:58.520]  Well, not the FM protocol but the RDS protocol.
[30:58.620 --> 31:01.320]  On the bottom you can see I already start to...
[31:02.800 --> 31:07.160]  To actually exfiltrate credentials here.
[31:09.770 --> 31:11.550]  The WiFi one.
[31:11.550 --> 31:12.350]  The telnet.
[31:12.350 --> 31:13.330]  The username.
[31:13.330 --> 31:14.570]  Mundoi.
[31:14.570 --> 31:16.650]  Clearly I typed it wrongly.
[31:17.090 --> 31:18.810]  And also from FM.
[31:19.650 --> 31:23.570]  So you can see both credentials getting from FM and actually...
[31:24.590 --> 31:28.630]  Let me cut it so we are not all deaf.
[31:28.690 --> 31:33.030]  So we get the credentials by FM and actually by wireless as well.
[31:37.970 --> 31:39.330]  Alright.
[31:39.490 --> 31:42.490]  That is pretty much.
[31:43.730 --> 31:44.410]  So...
[31:44.410 --> 31:47.410]  Before we move on I want to explain you about...
[31:48.190 --> 31:49.700]  One more thing.
[31:51.970 --> 31:53.290]  Let me...
[31:54.230 --> 31:54.890]  Go...
[31:55.400 --> 31:56.390]  Here.
[31:56.690 --> 31:57.570]  Ok.
[31:58.110 --> 31:59.670]  Close this.
[32:01.150 --> 32:03.550]  And let's start Circo one more time.
[32:03.550 --> 32:04.330]  Bridge.
[32:04.330 --> 32:05.350]  Spin.
[32:07.980 --> 32:12.090]  There is one more feature which is actually the light sensor, right?
[32:12.090 --> 32:15.050]  So for this I probably will...
[32:15.050 --> 32:16.810]  Need to go to switch.
[32:16.810 --> 32:19.530]  Let me see once Circo start.
[32:20.030 --> 32:22.090]  Carpa is already on.
[32:23.010 --> 32:23.730]  Ok.
[32:23.730 --> 32:26.710]  So I will need to move to...
[32:26.710 --> 32:28.430]  Back camera probably.
[32:28.930 --> 32:31.410]  Once this stuff is up.
[32:32.650 --> 32:34.390]  Yep, it's up.
[32:35.250 --> 32:36.530]  Alright.
[32:38.430 --> 32:39.530]  Ok.
[32:41.090 --> 32:41.730]  So...
[32:41.730 --> 32:43.450]  This is what I'm going to do.
[32:44.930 --> 32:47.430]  I'm going to open this box, right?
[32:59.570 --> 33:00.530]  Ok.
[33:13.830 --> 33:15.470]  Let me see if I can get it...
[33:21.500 --> 33:22.680]  There you go.
[33:27.290 --> 33:29.390]  Ok, what do we have inside?
[33:30.290 --> 33:31.270]  Let me see if...
[33:31.270 --> 33:33.550]  Maybe I do a bit like that.
[33:34.290 --> 33:35.210]  There you go.
[33:35.630 --> 33:37.690]  So we have a Raspberry Pi.
[33:37.990 --> 33:39.630]  Power components.
[33:40.890 --> 33:41.370]  And...
[33:41.370 --> 33:44.750]  On the bottom here we have a light sensor, right?
[33:51.070 --> 33:53.750]  So if I switch back...
[33:53.750 --> 33:54.430]  You will see...
[33:56.010 --> 33:58.070]  Carpa is receiving an alarm.
[33:58.390 --> 33:59.290]  And it actually...
[34:02.570 --> 34:03.250]  Circo...
[34:03.250 --> 34:05.750]  Recognize the case has been opened.
[34:05.750 --> 34:06.170]  Right.
[34:06.170 --> 34:07.270]  Circo.
[34:08.510 --> 34:10.830]  So that's pretty much.
[34:10.830 --> 34:13.570]  So one thing I want to show you guys.
[34:13.590 --> 34:15.110]  It's a magic cable.
[34:21.300 --> 34:23.500]  So the magic cable I told you was...
[34:24.540 --> 34:26.660]  It looked like a cable like that.
[34:26.680 --> 34:27.360]  You know.
[34:28.000 --> 34:31.180]  In Japan they come like that. This is for earth, right?
[34:33.240 --> 34:33.720]  This...
[34:34.280 --> 34:36.200]  This is not a magic cable.
[34:36.200 --> 34:37.600]  There's no magic here.
[34:38.760 --> 34:40.760]  You also can get magic here.
[34:40.760 --> 34:42.520]  This type of cables, right?
[34:42.580 --> 34:43.560]  This is earth.
[34:43.560 --> 34:45.400]  Or the British cables.
[34:45.400 --> 34:46.860]  Which is this one, right?
[34:46.980 --> 34:48.940]  So where the magic come from?
[34:49.060 --> 34:50.620]  Well, the magic is like...
[34:50.620 --> 34:52.080]  I'm using the GPO.
[34:52.080 --> 34:54.760]  A pin in the Raspberry to modulate the FM frequency.
[34:54.760 --> 34:56.400]  And I need basically an antenna.
[34:56.560 --> 34:58.320]  So one way to get an antenna.
[34:58.400 --> 34:59.600]  Is actually...
[34:59.600 --> 35:02.700]  There's an earth cable inside the power cable.
[35:02.840 --> 35:04.880]  So if you look into the...
[35:04.880 --> 35:08.440]  Where that earth cable connect into the...
[35:08.440 --> 35:09.800]  Circo.
[35:09.800 --> 35:12.260]  You will see there's a white cable coming out.
[35:15.950 --> 35:17.590]  This white cable.
[35:18.610 --> 35:20.970]  It come out from earth.
[35:22.330 --> 35:25.290]  And it goes to the GPO of the Raspberry.
[35:26.370 --> 35:28.550]  And that is my earth, right?
[35:28.550 --> 35:29.970]  So that basically...
[35:34.900 --> 35:38.980]  That give me actually a 2-3 meters FM antenna.
[35:38.980 --> 35:39.440]  Which great...
[35:40.940 --> 35:42.980]  Great distance reach.
[35:43.220 --> 35:43.820]  So...
[35:43.820 --> 35:46.180]  This is another method for exfiltrating.
[35:46.180 --> 35:52.140]  When wireless is not an option due to 50-80 meters length, right?
[35:52.140 --> 35:54.580]  You can go longer with FM.
[35:55.340 --> 35:56.620]  All right.
[35:57.820 --> 35:59.540]  That's all, guys.
[36:01.000 --> 36:01.640]  So...
[36:01.640 --> 36:04.180]  I hope you actually enjoy it.
[36:04.180 --> 36:06.140]  And let me know if anything...
[36:07.760 --> 36:10.560]  Questions, just shout out, right?
[36:12.020 --> 36:14.020]  Okay, thanks.
[36:14.460 --> 36:15.520]  See ya.
